[CentOS] SELinux - way of the future or good idea but !!!
John R. Dennison
jrd at gerdesas.com
Sat Nov 27 00:56:14 UTC 2010
On Sat, Nov 27, 2010 at 10:58:00AM +1100, Alison wrote:
> Hi,
>
> total newbie on CentOS. Just firing up an install of 5.5 on a
> development webserver. Installed Webmin, Awstats, PHPMyAdmin and
> Drupal successfully. Yet to work on Sendmail and Samba. SELinux in
> enforcing mode, reporting "SELinux preventing ifconfig (ifconfig_t)
> "read write" to /var/webminsessiondb.pag (var_t)".
There is a reason that control panels are effectively
unsupported; you just hit on one of those reasons. Although I
must admit I don't fully grasp why webmin is referencing
ifconfig_t.
> Googled the error message without real success in finding fix - bug
> reports showing. Question is whether worth pursuing as SELinux is the
> way of the future. Or is SELinux a good idea that never really made
> it's way into the sun. Thoughts please.
There are only a small number of corner cases in which SElinux
is not appropriate; for all other cases it should be enabled.
It exists for a reason and is shipped fully enabled for a
reason. Being able to limit access based on contexts and roles
is an incredibly powerful tool which greatly improves the
security of your server and the integrity of your data.
Following is a list of very useful SElinux resources.
http://wiki.centos.org/HowTos/SELinux
http://wiki.centos.org/TipsAndTricks/SelinuxBooleans
http://docs.fedoraproject.org/selinux-user-guide/f10/en-US/
http://fedorasolved.org/security-solutions/selinux-module-building
http://centoshelp.org/security/selinux-common-commands-troubleshooting
Some quality time with these resources will allow you to correct
the SElinux exception you listed above and also give you a much
better understanding of SElinux as a whole.
John
--
The best argument against democracy is a five minute conversation
with the average voter.
-- Winston Churchill
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <http://lists.centos.org/pipermail/centos/attachments/20101126/4e2f1118/attachment.sig>
More information about the CentOS
mailing list